I have a folder with permissions:
- Administrators (group): Full.
- J. Bloggs: Full.
I'm logged in as a member of the Administrators group.
I can't open the folder in Explorer because "you do not have permission".
I suspect this is because normal processes do not have the administrator permission token because of UAC, unless you also 'run as administrator'. But I can't do that for Windows Explorer, can I?
So my options seem to be: - Click the button to take ownership (ruins ownership, takes ages on large folders, doesn't solve for other administrators) - Add each individual administrator account with full permissions so it works without the admin token (administrative mess, what's the point in groups)
This is a really annoying design, I must be missing something. How is it supposed to work? What's the 'right' way for an administrator to get into a folder that administrators have access to?
The best way is to define a new group containing members that you consider to be administrators of that folder. If you have an AD domain, you can create this group in AD and then add that group to the Administrators group (of the local machine) and avoid having to administer two groups.
Note: If you're trying this locally, remember you have to log off and back in again for the new permissions to take effect.
The solution is to simply manage the server remotely. The UAC filtering of the administrator privileges only applies when you are accessing the local system.
With the release of Server Core, Microsoft has been strongly encouraging people to remotely administer servers instead of connecting to them directly to manage them.
Of course if you have a really small network this may not be feasible, so disabling the UAC is fine, or adjusting the filesystem permissions so that another group is used instead of administrators to grant permissions.
There are two options to work around this limitation easily:
Grant Read/Execute permission at the drive root the built-in principal called "Interactive". Then no change to UAC is required.
This way people logged into the desktop remotely or "locally" (VM console or physical screen and keyboard) can still browse files and run programs even with UAC enabled.
For example, you could remove the default "Users can read and create everything from the root" permission to lock down the server sensibly, but avoid the inability to effectively logon, browse files and navigate to where you want to change settings as administrator.
As soon as you open the security dialog and want to change permissions, a button appears to change the settings as administrator. So you get the best of both worlds:
The only difference to the standard permissions, is we are not saying that only local "Users" accounts can read everything, but only people granted access to the Windows console, i.e. that logically means "physical" (or virtual) "interactive" server access, which is not just granted to anybody. This may not work for terminal servers unless there is a better way to distinguish between those types of sessions (suggest edit if you know that).
Of course the first advice is use server core/remote admin whenever possible. But when not, this helps avoid the common end-effect that a server were the default users permissions are removed end-up with dozens of personal user account permissions applied all over the place. And it's not really the fault of the administrator, they are just trying to do their job with standard tools without any special complexity (just use File Explorer normally).
Another positive effect of this solution, is by being able to lock-down the root drive permissions and still have the server "usable" for the administrator logged onto the desktop, the need to disable inheritance to remove unwanted permissions from above often disappears. The fact that all users can read and create whatever they want below your shared path by default is a common reason to disable inheritance when nobody wants to deal with the "root" cause ;-)
Yes, you CAN run Explorer with Elevated privileges to solve your issue!
To do so, you must:
Task ManagerDetailstabExplorer.exe" running as your user.FileStart New Process"Explorer.exein the "Open:" Drop-down.CheckboxNext to "Run task with administrative privileges"OKaccept.Voila!
Your Start menu re-appears, and Windows explorer is Elevated!
You are now running Explorer as an elevated process so any explorer actions which required elevation will work without needing to elevate each time.
So you can Delete a folder or traverse a folder or check permissions or read a file without needing to run elevated for each individual action.
I ran into this because we use admin approval mode to elevate without prompting, however for deleting folders and files and sometimes for accessing them, this is causing us trouble when the user is a member of the local administrator's group instead od having express permissions, elevating Explorer resolved that issue.